Often, I hear arguments that go like this: real hackers write code and exploits; everyone else is a script-kiddie.
That is a dumb argument from all sorts of levels. For starters, those who make this observation are usually those who can write code. Therefore, everyone who can’t meet their personal standards/abilities as a coder are “skiddies” who demean the profession.
I find it intriguing that everyone defines the basis for a good pentester by their own capabilities. Clearly you think that you are good and it’s normal to think that everyone will want to be good just like you. Consequently, they should all do as you do, right? Wrong. We need diversity of backgrounds, skills, and opinions. It’s healthy not to inbreed (intellectually or otherwise).
Weaponizing dnscat with shellcode and Metasploit
I’ve been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or “weaponizing dnscat”, as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 at a time, nor have I ever written shellcode, so this was an awesome learning experience. Most people start by writing shellcode that spawns a local shell; I decided to start with shellcode that implements a dnscat client in under 1024 bytes (for both Linux and Windows). Like I always say, go big or go home!
robots.txt: important if you’re hosting passwords
This is going to be a fun post that’s related to some of my password work. Some of the text may not be PG13, so parental discretion is advised.
As most of you know, I’ve been collecting password lists. In addition to normal password lists that are useful in bruteforcing, I have a (so far) lame collection of non-hacking dictionaries. Things like cities, English words, etc.
There was a time when the biggest dictionary I had, weighing in at 6.4mb, was a German wordlist. 6.4mb doesn’t sound like much, but at the time I was on a DSL connection; with about 400kbit upstream (on a good day), I could feel every download.
The ultimate faceoff between password lists
Yes, I’m still working on making the ultimate password list. And I don’t mean the 16gb one I made by taking pretty much every word or word-looking string on the Internet when I was a kid; that was called ultimater dictionary. No; I mean one that is streamlined, sorted, and will make Nmap the bruteforce tool of the future!
Trusting the Browser (a ckeditor short story)
My name is Matt Gardenghi. Ron seems to think it important that this post be clearly attributed to someone else (this fact might worry me). I’m an occasional contributor here (see: Bypassing AV). I handle security at Bob Jones University and also perform pentests on the side. (So if you need someone to do work, here’s my shameless plug.) I have acquired the oddly despised CISSP and the more respectable GCFA, GPEN, and GWAPT.
I know a company that purchased some Web 2.0 services. We’ll leave it at that, to protect the guilty. :-p
So, one day a bored user decided that the editor used on the site was annoying. He used GreaseMonkey to replace the editor with his preferred editor. This was “Clue #1” that a problem existed with the Web 2.0 service.
Using Nmap to detect the Arucer (ie, Energizer) Trojan
I don’t usually write two posts in one day, but today is a special occasion! I was reading my news feeds (well, my co-op student (ie, intern) was – I was doing paperwork), and noticed a story about a remote backdoor being included with the Energizer UsbCharger software</a>. Too funny!
Hard evidence that people suck at passwords
As you probably know, I’ve been working hard on generating and evaluating passwords. My last post was all about Rockyou.com’s passwords; next post will (probably) be about different groups of passwords from my just updated password dictionaries page. This will be a little different, though.
How big is the ideal dick…tionary?
As some of you know, I’ve been working on collecting leaked passwords/other dictionaries. I spent some time this week updating my wiki’s password page. Check it out and let me know what I’m missing, and I’ll go ahead and mirror it.
I’ve had a couple new developments in my password list, though. Besides having an entirely new layout, I’ve added some really cool data!
DNS Backdoors with dnscat
I’m really excited to announce the first release of a tool I’ve put a lot of hard work into: dnscat.
It’s being released, along with a bunch of other tools that I’ll be blogging about, as part of nbtool 0.04.
Just a quick note – I updated my blog template a bit. On the right, I added some new links and I added some info about myself at the top. I also added “previous” and “next” links above the posts. Hopefully these changes make it easier to get around. Let me know if I broke anything in the process!
That’s all for today!
Watch out for evil SMB servers: MS10-006
How-to: install an Nmap script
I often find myself explaining to people how to install a script that isn’t included in Nmap. Rather than write it over and over, this is a quick tutorial.
VM Stealing: The Nmap way (CVE-2009-3733 exploit)
If you were at Shmoocon this past weekend, you might remember a talk on Friday, done by Justin Morehouse and Tony Flick, on VMWare Guest Stealing. If you don’t, you probably started drinking too early. :)
Why settle for (stealing) one password?
This is just a quick thought I had at work today – actually, I had it in November, but just got around to posting it now. Common story, but eh?
smb-psexec.nse: owning Windows, fast (Part 3)
Posts in this series (I’ll add links as they’re written):
- What does smb-psexec do?
- Sample configurations ("sample.lua")
- <a href=/blog/?p=404'>Default configuration ("default.lua")</a>
- Advanced configuration ("pwdump.lua" and "backdoor.lua")
Who’s going to Shmoocon?
I’m heading to Shmoocon on Feb 4 - 8, so two things:
a) Who wants to meet up? I have plans on the Saturday, but not much else yet.
b) Please don’t hack me while I’m gone. ;)